Add installation of new debian and GPG keys

defaults/main.yml

@@ -39,7 +39,7 @@ datadog_agent_version: ""
 
 # Default apt repo and keyserver
 
-# By default, the roll uses the official apt Datadog repository for the chosen major version
+# By default, the role uses the official apt Datadog repository for the chosen major version
 # Use the datadog_apt_repo variable to override the repository used.
 datadog_apt_repo: ""
 
@@ -52,24 +52,29 @@ datadog_apt_backup_keyserver: hkp://pool.sks-keyservers.net:80
 
 # Default yum repo and keys
 
-# By default, the roll uses the official yum Datadog repository for the chosen major version
+# By default, the role uses the official yum Datadog repository for the chosen major version
 # Use the datadog_yum_repo variable to override the repository used.
 datadog_yum_repo: ""
 
 datadog_yum_gpgkey: "https://yum.datadoghq.com/DATADOG_RPM_KEY.public"
+# this key expires in 2022
 datadog_yum_gpgkey_e09422b3: "https://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public"
 datadog_yum_gpgkey_e09422b3_sha256sum: "694a2ffecff85326cc08e5f1a619937999a5913171e42f166e13ec802c812085"
-
+# this key expires in 2024
+datadog_yum_gpgkey_20200908: "http://yum.datadoghq.com/DATADOG_RPM_KEY_20200908.public"
+datadog_yum_gpgkey_20200908_sha256sum: "4d16c598d3635086762bd086074140d947370077607db6d6395b8523d5c23a7d"
 # Default zypper repo and keys
 
-# By default, the roll uses the official zypper Datadog repository for the chosen major version
+# By default, the role uses the official zypper Datadog repository for the chosen major version
 # Use the datadog_zypper_repo variable to override the repository used.
 datadog_zypper_repo: ""
 
 datadog_zypper_gpgkey: "https://yum.datadoghq.com/DATADOG_RPM_KEY.public"
 datadog_zypper_gpgkey_sha256sum: "00d6505c33fd95b56e54e7d91ad9bfb22d2af17e5480db25cba8fee500c80c46"
 datadog_zypper_gpgkey_e09422b3: "https://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public"
 datadog_zypper_gpgkey_e09422b3_sha256sum: "694a2ffecff85326cc08e5f1a619937999a5913171e42f166e13ec802c812085"
+datadog_zypper_gpgkey_20200908: "http://yum.datadoghq.com/DATADOG_RPM_KEY_20200908.public"
+datadog_zypper_gpgkey_20200908_sha256sum: "4d16c598d3635086762bd086074140d947370077607db6d6395b8523d5c23a7d"
 
 # Avoid checking if the agent is running or not. This can be useful if you're
 # using sysvinit and providing your own init script.

tasks/pkg-debian.yml

@@ -6,7 +6,7 @@
     state: present
   when: not ansible_check_mode
 
-- name: Install ubuntu apt-key server
+- name: Install apt-key from keyserver (Expires 2022)
   apt_key:
     id: A2923DFF56EDA6E76E55E492D3A80E30382E94DE
     keyserver: "{{ datadog_apt_backup_keyserver if use_apt_backup_keyserver else datadog_apt_keyserver }}"
@@ -17,13 +17,31 @@
   retries: "{{ datadog_apt_key_retries }}"
   when: datadog_apt_key_url_new is not defined
 
-- name: Install Datadog apt-key
+- name: Install Datadog apt-key from url (Expires 2022)
   apt_key:
     id: A2923DFF56EDA6E76E55E492D3A80E30382E94DE
     url: "{{ datadog_apt_key_url_new }}"
     state: present
   when: datadog_apt_key_url_new is defined
 
+- name: Install apt-key from keyserver (Expires 2032)
+  apt_key:
+    id: D75CEA17048B9ACBF186794B32637D44F14F620E
+    keyserver: "{{ datadog_apt_backup_keyserver if use_apt_backup_keyserver else datadog_apt_keyserver }}"
+    state: present
+    # keyserver.ubuntu.com is a pool of server, we should retry if one of them is down
+  register: result_2032
+  until: not result_2032.failed is defined or not result_2032.failed
+  retries: "{{ datadog_apt_key_retries }}"
+  when: datadog_apt_key_url_new is not defined
+
+- name: Install Datadog apt-key from url (Expires 2032)
+  apt_key:
+    id: D75CEA17048B9ACBF186794B32637D44F14F620E
+    url: "{{ datadog_apt_key_url_new }}"
+    state: present
+  when: datadog_apt_key_url_new is defined
+
 - name: Ensure Datadog non-https repositories are deprecated
   apt_repository:
     repo: "{{ item }}"

tasks/pkg-redhat.yml

@@ -1,24 +1,36 @@
 ---
-- name: Download new RPM key
+- name: Download new RPM key (Expires in 2022)
   get_url:
     url: "{{ datadog_yum_gpgkey_e09422b3 }}"
     dest: /tmp/DATADOG_RPM_KEY_E09422B3.public
     checksum: "sha256:{{ datadog_yum_gpgkey_e09422b3_sha256sum }}"
 
-- name: Import new RPM key
+- name: Import new RPM key (Expires in 2022)
   rpm_key:
     key: /tmp/DATADOG_RPM_KEY_E09422B3.public
     state: present
   when: not ansible_check_mode
 
+- name: Download new RPM key (Expires in 2024)
+  get_url:
+    url: "{{ datadog_yum_gpgkey_20200908 }}"
+    dest: /tmp/DATADOG_RPM_KEY_20200908.public
+    checksum: "sha256:{{ datadog_yum_gpgkey_20200908_sha256sum }}"
+
+- name: Import new RPM key (Expires in 2024)
+  rpm_key:
+    key: /tmp/DATADOG_RPM_KEY_20200908.public
+    state: present
+  when: not ansible_check_mode
+
 - name: Install Datadog yum repo
   yum_repository:
     name: "ansible_datadog_{{ item.key }}"
     description: Datadog, Inc.
     baseurl: "{{ item.value }}"
     enabled: yes
     gpgcheck: yes
-    gpgkey: "{% if datadog_agent_major_version|int == 7 %}{{ datadog_yum_gpgkey_e09422b3 }}{% else %}{{ datadog_yum_gpgkey }}{% endif %}"
+    gpgkey: "{% if datadog_agent_major_version|int == 7 %}{{ datadog_yum_gpgkey_20200908 }}{% else %}{{ datadog_yum_gpgkey }}{% endif %}"
     state: "{% if item.key == datadog_agent_major_version|int and datadog_yum_repo | length == 0 %}present{% else %}absent{% endif %}"
   when: (not ansible_check_mode)
   with_dict:

tasks/pkg-suse.yml

@@ -27,30 +27,55 @@
   when: datadog_agent_major_version|int < 7 and not ansible_check_mode
 
 - block:  # Work around due to SNI check for SLES11
-  - name: Stat if new RPM key already exists
+  - name: Stat if E09422B3 key (Expires 2022) RPM key already exists
     stat:
       path: /tmp/DATADOG_RPM_KEY_E09422B3.public
     register: ddnewkey
-  - name: Download new RPM key (SLES11)
+  - name: Download E09422B3 key (Expires 2022) RPM key (SLES11)
     get_url:
       url: "{{ datadog_zypper_gpgkey_e09422b3 }}"
       dest: /tmp/DATADOG_RPM_KEY_E09422B3.public
     when: not ddnewkey.stat.exists
   when: ansible_distribution_version|int == 11
 
-- name: Download new RPM key
+- name: Download E09422B3 key (Expires 2022) RPM key
   get_url:
     url: "{{ datadog_zypper_gpgkey_e09422b3 }}"
     dest: /tmp/DATADOG_RPM_KEY_E09422B3.public
     checksum: "sha256:{{ datadog_zypper_gpgkey_e09422b3_sha256sum }}"
   when: ansible_distribution_version|int >= 12
 
-- name: Import new RPM key
+- name: Import E09422B3 key (Expires 2022) RPM key
   rpm_key:
     key: /tmp/DATADOG_RPM_KEY_E09422B3.public
     state: present
   when: not ansible_check_mode
 
+- block:  # Work around due to SNI check for SLES11
+  - name: Stat if 20200908 key (Expires 2024) RPM key already exists
+    stat:
+      path: /tmp/DATADOG_RPM_KEY_20200908.public
+    register: ddnewkey_20200908
+  - name: Download 20200908 key (Expires 2024) RPM key (SLES11)
+    get_url:
+      url: "{{ datadog_zypper_gpgkey_20200908 }}"
+      dest: /tmp/DATADOG_RPM_KEY_20200908.public
+    when: not  ddnewkey_20200908.stat.exists
+  when: ansible_distribution_version|int == 11
+
+- name: Download 20200908 key (Expires 2024) RPM key
+  get_url:
+    url: "{{ datadog_zypper_gpgkey_20200908 }}"
+    dest: /tmp/DATADOG_RPM_KEY_20200908.public
+    checksum: "sha256:{{ datadog_zypper_gpgkey_20200908_sha256sum }}"
+  when: ansible_distribution_version|int >= 12
+
+- name: Import 20200908 key (Expires 2024) RPM key
+  rpm_key:
+    key: /tmp/DATADOG_RPM_KEY_20200908.public
+    state: present
+  when: not ansible_check_mode
+
 # ansible don't allow repo_gpgcheck to be set, we have to create the repo file manually
 - name: Install DataDog zypper repo
   template: